737f5610e3
The newer versions of ElasticSearch use Java 15 which has dropped some of those options, we can keep backwards compatibility by pinning to certain versions[1]. [1]: https://discuss.elastic.co/t/elasticsearch-wont-start-after-7-9-1-to-7-9-2-upgrade/249878/2 Change-Id: Iaa29bc202d9eb9c5eda3040b38596f0524a0c453
1001 lines
27 KiB
YAML
1001 lines
27 KiB
YAML
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Default values for elasticsearch
|
|
# This is a YAML-formatted file.
|
|
# Declare variables to be passed into your templates.
|
|
|
|
---
|
|
images:
|
|
tags:
|
|
apache_proxy: docker.io/httpd:2.4
|
|
memory_init: docker.io/openstackhelm/heat:newton-ubuntu_xenial
|
|
elasticsearch: docker.io/openstackhelm/elasticsearch-s3:latest-7_6_2
|
|
curator: docker.io/bobrik/curator:5.8.1
|
|
ceph_key_placement: docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20191216
|
|
s3_bucket: docker.io/openstackhelm/ceph-daemon:ubuntu_bionic-20191216
|
|
s3_user: docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20191216
|
|
helm_tests: docker.io/openstackhelm/elasticsearch-s3:latest-7_6_2
|
|
prometheus_elasticsearch_exporter: docker.io/justwatch/elasticsearch_exporter:1.1.0
|
|
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
|
|
snapshot_repository: docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20191216
|
|
elasticsearch_templates: docker.io/openstackhelm/elasticsearch-s3:latest-7_6_2
|
|
image_repo_sync: docker.io/docker:17.07.0
|
|
pull_policy: "IfNotPresent"
|
|
local_registry:
|
|
active: false
|
|
exclude:
|
|
- dep_check
|
|
- image_repo_sync
|
|
|
|
labels:
|
|
client:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
data:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
exporter:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
master:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
job:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
test:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
gateway:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
|
|
dependencies:
|
|
dynamic:
|
|
common:
|
|
local_image_registry:
|
|
jobs:
|
|
- elasticsearch-image-repo-sync
|
|
services:
|
|
- endpoint: node
|
|
service: local_image_registry
|
|
static:
|
|
curator:
|
|
services:
|
|
- endpoint: internal
|
|
service: elasticsearch
|
|
- endpoint: data
|
|
service: elasticsearch
|
|
- endpoint: discovery
|
|
service: elasticsearch
|
|
jobs:
|
|
- elasticsearch-register-snapshot-repository
|
|
elasticsearch_client:
|
|
services:
|
|
- endpoint: discovery
|
|
service: elasticsearch
|
|
jobs: null
|
|
elasticsearch_gateway:
|
|
services:
|
|
- endpoint: discovery
|
|
service: elasticsearch
|
|
elasticsearch_data:
|
|
services:
|
|
- endpoint: internal
|
|
service: elasticsearch
|
|
- endpoint: discovery
|
|
service: elasticsearch
|
|
jobs: null
|
|
elasticsearch_master:
|
|
services: null
|
|
jobs: null
|
|
elasticsearch_templates:
|
|
services:
|
|
- endpoint: internal
|
|
service: elasticsearch
|
|
image_repo_sync:
|
|
services:
|
|
- endpoint: internal
|
|
service: local_image_registry
|
|
prometheus_elasticsearch_exporter:
|
|
services:
|
|
- endpoint: internal
|
|
service: elasticsearch
|
|
snapshot_repository:
|
|
services:
|
|
- endpoint: internal
|
|
service: elasticsearch
|
|
jobs:
|
|
- elasticsearch-s3-bucket
|
|
verify_repositories:
|
|
services: null
|
|
jobs:
|
|
- elasticsearch-register-snapshot-repository
|
|
s3_user:
|
|
services:
|
|
- endpoint: internal
|
|
service: ceph_object_store
|
|
s3_bucket:
|
|
jobs:
|
|
- elasticsearch-s3-user
|
|
tests:
|
|
services: null
|
|
jobs:
|
|
- elasticsearch-register-snapshot-repository
|
|
|
|
pod:
|
|
env:
|
|
client: null
|
|
data: null
|
|
master: null
|
|
gateway: null
|
|
secrets: null
|
|
mandatory_access_control:
|
|
type: apparmor
|
|
elasticsearch-master:
|
|
elasticsearch-master: runtime/default
|
|
elasticsearch-data:
|
|
elasticsearch-data: runtime/default
|
|
elasticsearch-client:
|
|
elasticsearch-client: runtime/default
|
|
elasticsearch-gateway:
|
|
elasticsearch-gateway: runtime/default
|
|
security_context:
|
|
exporter:
|
|
pod:
|
|
runAsUser: 99
|
|
container:
|
|
elasticsearch_exporter:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
client:
|
|
pod:
|
|
runAsUser: 0
|
|
container:
|
|
memory_map_increase:
|
|
privileged: true
|
|
readOnlyRootFilesystem: true
|
|
apache_proxy:
|
|
readOnlyRootFilesystem: false
|
|
elasticsearch_client:
|
|
privileged: true
|
|
capabilities:
|
|
add:
|
|
- IPC_LOCK
|
|
- SYS_RESOURCE
|
|
readOnlyRootFilesystem: false
|
|
master:
|
|
pod:
|
|
runAsUser: 0
|
|
container:
|
|
memory_map_increase:
|
|
privileged: true
|
|
readOnlyRootFilesystem: true
|
|
elasticsearch_perms:
|
|
readOnlyRootFilesystem: true
|
|
elasticsearch_master:
|
|
privileged: true
|
|
capabilities:
|
|
add:
|
|
- IPC_LOCK
|
|
- SYS_RESOURCE
|
|
readOnlyRootFilesystem: false
|
|
snapshot_repository:
|
|
pod:
|
|
runAsUser: 0
|
|
container:
|
|
register_snapshot_repository:
|
|
readOnlyRootFilesystem: true
|
|
test:
|
|
pod:
|
|
runAsUser: 0
|
|
container:
|
|
helm_test:
|
|
readOnlyRootFilesystem: true
|
|
data:
|
|
pod:
|
|
runAsUser: 0
|
|
container:
|
|
memory_map_increase:
|
|
privileged: true
|
|
readOnlyRootFilesystem: true
|
|
elasticsearch_perms:
|
|
readOnlyRootFilesystem: true
|
|
elasticsearch_data:
|
|
privileged: true
|
|
capabilities:
|
|
add:
|
|
- IPC_LOCK
|
|
- SYS_RESOURCE
|
|
# NOTE: This was changed from true to false to account for
|
|
# recovery scenarios when the data pods are unexpectedly lost due to
|
|
# node outages and shard/index recovery is required
|
|
readOnlyRootFilesystem: false
|
|
gateway:
|
|
pod:
|
|
runAsUser: 0
|
|
container:
|
|
memory_map_increase:
|
|
privileged: true
|
|
readOnlyRootFilesystem: true
|
|
apache_proxy:
|
|
readOnlyRootFilesystem: false
|
|
elasticsearch_gateway:
|
|
privileged: true
|
|
capabilities:
|
|
add:
|
|
- IPC_LOCK
|
|
- SYS_RESOURCE
|
|
readOnlyRootFilesystem: false
|
|
curator:
|
|
pod:
|
|
runAsUser: 0
|
|
container:
|
|
curator:
|
|
readOnlyRootFilesystem: true
|
|
verify_repositories:
|
|
pod:
|
|
runAsUser: 0
|
|
container:
|
|
elasticsearch_verify_repositories:
|
|
readOnlyRootFilesystem: true
|
|
create_template:
|
|
pod:
|
|
runAsUser: 0
|
|
container:
|
|
create_elasticsearch_template:
|
|
readOnlyRootFilesystem: true
|
|
affinity:
|
|
anti:
|
|
type:
|
|
default: preferredDuringSchedulingIgnoredDuringExecution
|
|
topologyKey:
|
|
default: kubernetes.io/hostname
|
|
weight:
|
|
default: 10
|
|
replicas:
|
|
master: 3
|
|
data: 3
|
|
client: 3
|
|
gateway: 3
|
|
lifecycle:
|
|
upgrades:
|
|
statefulsets:
|
|
pod_replacement_strategy: RollingUpdate
|
|
deployments:
|
|
revision_history: 3
|
|
pod_replacement_strategy: RollingUpdate
|
|
rolling_update:
|
|
max_unavailable: 1
|
|
max_surge: 3
|
|
termination_grace_period:
|
|
master:
|
|
timeout: 600
|
|
data:
|
|
timeout: 1200
|
|
client:
|
|
timeout: 600
|
|
prometheus_elasticsearch_exporter:
|
|
timeout: 600
|
|
mounts:
|
|
elasticsearch:
|
|
elasticsearch:
|
|
elasticsearch_templates:
|
|
elasticsearch_templates:
|
|
resources:
|
|
enabled: false
|
|
apache_proxy:
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
client:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
master:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
data:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
prometheus_elasticsearch_exporter:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
gateway:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
jobs:
|
|
curator:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
elasticsearch_templates:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
image_repo_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
snapshot_repository:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
storage_init:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
s3_bucket:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
s3_user:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
tests:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
|
|
network_policy:
|
|
elasticsearch:
|
|
ingress:
|
|
- {}
|
|
egress:
|
|
- {}
|
|
prometheus-elasticsearch-exporter:
|
|
ingress:
|
|
- {}
|
|
egress:
|
|
- {}
|
|
|
|
secrets:
|
|
rgw:
|
|
admin: radosgw-s3-admin-creds
|
|
elasticsearch: elasticsearch-s3-user-creds
|
|
elasticsearch:
|
|
user: elasticsearch-user-secrets
|
|
tls:
|
|
elasticsearch:
|
|
elasticsearch:
|
|
public: elasticsearch-tls-public
|
|
|
|
jobs:
|
|
curator:
|
|
cron: "* */6 * * *"
|
|
history:
|
|
success: 3
|
|
failed: 1
|
|
verify_repositories:
|
|
cron: "*/30 * * * *"
|
|
history:
|
|
success: 3
|
|
failed: 1
|
|
|
|
conf:
|
|
httpd: |
|
|
ServerRoot "/usr/local/apache2"
|
|
|
|
Listen 80
|
|
|
|
LoadModule allowmethods_module modules/mod_allowmethods.so
|
|
LoadModule mpm_event_module modules/mod_mpm_event.so
|
|
LoadModule authn_file_module modules/mod_authn_file.so
|
|
LoadModule authn_core_module modules/mod_authn_core.so
|
|
LoadModule authz_host_module modules/mod_authz_host.so
|
|
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
|
|
LoadModule authz_user_module modules/mod_authz_user.so
|
|
LoadModule authz_core_module modules/mod_authz_core.so
|
|
LoadModule access_compat_module modules/mod_access_compat.so
|
|
LoadModule auth_basic_module modules/mod_auth_basic.so
|
|
LoadModule ldap_module modules/mod_ldap.so
|
|
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
|
|
LoadModule reqtimeout_module modules/mod_reqtimeout.so
|
|
LoadModule filter_module modules/mod_filter.so
|
|
LoadModule proxy_html_module modules/mod_proxy_html.so
|
|
LoadModule log_config_module modules/mod_log_config.so
|
|
LoadModule env_module modules/mod_env.so
|
|
LoadModule headers_module modules/mod_headers.so
|
|
LoadModule setenvif_module modules/mod_setenvif.so
|
|
LoadModule version_module modules/mod_version.so
|
|
LoadModule proxy_module modules/mod_proxy.so
|
|
LoadModule proxy_connect_module modules/mod_proxy_connect.so
|
|
LoadModule proxy_http_module modules/mod_proxy_http.so
|
|
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
|
|
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
|
|
LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
|
|
LoadModule unixd_module modules/mod_unixd.so
|
|
LoadModule status_module modules/mod_status.so
|
|
LoadModule autoindex_module modules/mod_autoindex.so
|
|
LoadModule rewrite_module modules/mod_rewrite.so
|
|
|
|
<IfModule unixd_module>
|
|
User daemon
|
|
Group daemon
|
|
</IfModule>
|
|
|
|
<Directory />
|
|
AllowOverride none
|
|
Require all denied
|
|
</Directory>
|
|
|
|
<Files ".ht*">
|
|
Require all denied
|
|
</Files>
|
|
|
|
ErrorLog /dev/stderr
|
|
|
|
LogLevel warn
|
|
|
|
<IfModule log_config_module>
|
|
LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
|
|
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
|
|
LogFormat "%h %l %u %t \"%r\" %>s %b" common
|
|
|
|
<IfModule logio_module>
|
|
LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
|
|
</IfModule>
|
|
|
|
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
|
CustomLog /dev/stdout common
|
|
CustomLog /dev/stdout combined
|
|
CustomLog /dev/stdout proxy env=forwarded
|
|
</IfModule>
|
|
|
|
<Directory "/usr/local/apache2/cgi-bin">
|
|
AllowOverride None
|
|
Options None
|
|
Require all granted
|
|
</Directory>
|
|
|
|
<IfModule headers_module>
|
|
RequestHeader unset Proxy early
|
|
</IfModule>
|
|
|
|
<IfModule proxy_html_module>
|
|
Include conf/extra/proxy-html.conf
|
|
</IfModule>
|
|
|
|
<VirtualHost *:80>
|
|
<Location />
|
|
ProxyPass http://localhost:{{ tuple "elasticsearch" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
|
|
ProxyPassReverse http://localhost:{{ tuple "elasticsearch" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
|
|
AuthName "Elasticsearch"
|
|
AuthType Basic
|
|
AuthBasicProvider file ldap
|
|
AuthUserFile /usr/local/apache2/conf/.htpasswd
|
|
AuthLDAPBindDN {{ .Values.endpoints.ldap.auth.admin.bind }}
|
|
AuthLDAPBindPassword {{ .Values.endpoints.ldap.auth.admin.password }}
|
|
AuthLDAPURL {{ tuple "ldap" "default" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
|
|
Require valid-user
|
|
</Location>
|
|
|
|
# Restrict access to the Elasticsearch Update By Query API Endpoint to prevent modification of indexed documents
|
|
<Location /*/_update_by_query*>
|
|
Require all denied
|
|
</Location>
|
|
# Restrict access to the Elasticsearch Delete By Query API Endpoint to prevent deletion of indexed documents
|
|
<Location /*/_delete_by_query*>
|
|
Require all denied
|
|
</Location>
|
|
</VirtualHost>
|
|
log4j2: |
|
|
status = error
|
|
appender.console.type = Console
|
|
appender.console.name = console
|
|
appender.console.layout.type = PatternLayout
|
|
appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker%m%n
|
|
rootLogger.level = info
|
|
rootLogger.appenderRef.console.ref = console
|
|
jvm_options: |
|
|
-Xms1g
|
|
-Xmx1g
|
|
-Des.networkaddress.cache.ttl=60
|
|
-Des.networkaddress.cache.negative.ttl=10
|
|
-XX:+AlwaysPreTouch
|
|
-Xss1m
|
|
-Djava.awt.headless=true
|
|
-Dfile.encoding=UTF-8
|
|
-Djna.nosys=true
|
|
-XX:-OmitStackTraceInFastThrow
|
|
-Dio.netty.noUnsafe=true
|
|
-Dio.netty.noKeySetOptimization=true
|
|
-Dio.netty.recycler.maxCapacityPerThread=0
|
|
-Dlog4j.shutdownHookEnabled=false
|
|
-Dlog4j2.disable.jmx=true
|
|
-Djava.io.tmpdir=${ES_TMPDIR}
|
|
-XX:+HeapDumpOnOutOfMemoryError
|
|
-XX:HeapDumpPath=data
|
|
-XX:ErrorFile=logs/hs_err_pid%p.log
|
|
8:-XX:+PrintGCDetails
|
|
8:-XX:+PrintGCDateStamps
|
|
8:-XX:+PrintTenuringDistribution
|
|
8:-XX:+PrintGCApplicationStoppedTime
|
|
8:-Xloggc:logs/gc.log
|
|
8:-XX:+UseGCLogFileRotation
|
|
8:-XX:NumberOfGCLogFiles=32
|
|
8:-XX:GCLogFileSize=64m
|
|
8-13:-XX:+UseConcMarkSweepGC
|
|
8-13:-XX:CMSInitiatingOccupancyFraction=75
|
|
8-13:-XX:+UseCMSInitiatingOccupancyOnly
|
|
9-:-Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m
|
|
9-:-Djava.locale.providers=COMPAT
|
|
10-:-XX:UseAVX=2
|
|
init:
|
|
max_map_count: 262144
|
|
ceph:
|
|
admin_keyring: null
|
|
curator:
|
|
action_file:
|
|
# Remember, leave a key empty if there is no value. None will be a string,
|
|
# not a Python "NoneType"
|
|
#
|
|
# Also remember that all examples have 'disable_action' set to True. If you
|
|
# want to use this action as a template, be sure to set this to False after
|
|
# copying it.
|
|
#
|
|
# NOTE(srwilkers): The list of actions below is kept empty, and should be
|
|
# driven purely by overrides. As these items are injected as pure YAML,
|
|
# the desired configuration should include all fields as to avoid unwanted
|
|
# merges with a set of dummy default values. The supplied values can be
|
|
# used as an example
|
|
actions:
|
|
# 1:
|
|
# action: delete_indices
|
|
# description: >-
|
|
# "Delete indices older than 7 days"
|
|
# options:
|
|
# timeout_override:
|
|
# continue_if_exception: False
|
|
# ignore_empty_list: True
|
|
# disable_action: True
|
|
# filters:
|
|
# - filtertype: pattern
|
|
# kind: prefix
|
|
# value: logstash-
|
|
# - filtertype: age
|
|
# source: name
|
|
# direction: older
|
|
# timestring: '%Y.%m.%d'
|
|
# unit: days
|
|
# unit_count: 7
|
|
# 2:
|
|
# action: delete_indices
|
|
# description: >-
|
|
# "Delete indices by age if available disk space is
|
|
# less than 80% total disk"
|
|
# options:
|
|
# timeout_override: 600
|
|
# continue_if_exception: False
|
|
# ignore_empty_list: True
|
|
# disable_action: True
|
|
# filters:
|
|
# - filtertype: pattern
|
|
# kind: prefix
|
|
# value: logstash-
|
|
# - filtertype: space
|
|
# source: creation_date
|
|
# use_age: True
|
|
# # This space assumes the default PVC size of 5Gi times three data
|
|
# # replicas. This must be adjusted if changed due to Curator being
|
|
# # unable to calculate percentages of total disk space
|
|
# disk_space: 12
|
|
# 3:
|
|
# action: snapshot
|
|
# description: >-
|
|
# "Snapshot indices older than one day"
|
|
# options:
|
|
# repository: logstash_snapshots
|
|
# # Leaving this blank results in the default name format
|
|
# name:
|
|
# wait_for_completion: True
|
|
# max_wait: 3600
|
|
# wait_interval: 10
|
|
# timeout_override: 600
|
|
# ignore_empty_list: True
|
|
# continue_if_exception: False
|
|
# disable_action: True
|
|
# filters:
|
|
# - filtertype: age
|
|
# source: name
|
|
# direction: older
|
|
# timestring: '%Y.%m.%d'
|
|
# unit: days
|
|
# unit_count: 1
|
|
# 4:
|
|
# action: delete_snapshots
|
|
# description: >-
|
|
# "Delete snapshots older than 30 days"
|
|
# options:
|
|
# repository: logstash_snapshots
|
|
# disable_action: True
|
|
# timeout_override: 600
|
|
# ignore_empty_list: True
|
|
# filters:
|
|
# - filtertype: pattern
|
|
# kind: prefix
|
|
# value: curator-
|
|
# exclude:
|
|
# - filtertype: age
|
|
# source: creation_date
|
|
# direction: older
|
|
# unit: days
|
|
# unit_count: 30
|
|
config:
|
|
# Remember, leave a key empty if there is no value. None will be a string,
|
|
# not a Python "NoneType"
|
|
client:
|
|
hosts:
|
|
- ${ELASTICSEARCH_HOST}
|
|
use_ssl: False
|
|
ssl_no_validate: False
|
|
timeout: 60
|
|
logging:
|
|
loglevel: INFO
|
|
logformat: logstash
|
|
blacklist: ['elasticsearch', 'urllib3']
|
|
elasticsearch:
|
|
config:
|
|
bootstrap:
|
|
memory_lock: true
|
|
cluster:
|
|
name: elasticsearch
|
|
remote:
|
|
connect: ${NODE_GATEWAY}
|
|
discovery:
|
|
# NOTE(srwilkers): This gets configured dynamically via endpoint lookups
|
|
seed_hosts: null
|
|
network:
|
|
host: 0.0.0.0
|
|
s3:
|
|
client:
|
|
default:
|
|
# NOTE(srwilkers): This gets configured dynamically via endpoint
|
|
# lookups
|
|
endpoint: null
|
|
protocol: http
|
|
node:
|
|
ingest: ${NODE_INGEST}
|
|
master: ${NODE_MASTER}
|
|
data: ${NODE_DATA}
|
|
name: ${NODE_NAME}
|
|
max_local_storage_nodes: 3
|
|
path:
|
|
data: /data
|
|
logs: /logs
|
|
snapshots:
|
|
enabled: false
|
|
# NOTE(srwilkers): The path for the radosgw s3 endpoint gets populated
|
|
# dynamically with this value to ensure the bucket name and s3 compatible
|
|
# radosgw endpoint/path match
|
|
bucket: elasticsearch_bucket
|
|
repositories:
|
|
logstash:
|
|
name: logstash_snapshots
|
|
env:
|
|
java_opts:
|
|
client: "-Xms256m -Xmx256m"
|
|
data: "-Xms256m -Xmx256m"
|
|
master: "-Xms256m -Xmx256m"
|
|
prometheus_elasticsearch_exporter:
|
|
es:
|
|
timeout: 20s
|
|
all: true
|
|
indices: true
|
|
indices_settings: true
|
|
shards: true
|
|
snapshots: true
|
|
ssl_skip_verify: true
|
|
ca: null
|
|
client_private_key: null
|
|
client_cert: null
|
|
api_objects:
|
|
- endpoint: _template/fluent
|
|
body:
|
|
index_patterns: "logstash-*"
|
|
settings:
|
|
index:
|
|
number_of_shards: 1
|
|
mappings:
|
|
properties:
|
|
kubernetes:
|
|
properties:
|
|
container_name:
|
|
type: keyword
|
|
index: false
|
|
docker_id:
|
|
type: keyword
|
|
index: false
|
|
host:
|
|
type: keyword
|
|
index: false
|
|
namespace_name:
|
|
type: keyword
|
|
index: false
|
|
pod_id:
|
|
type: keyword
|
|
index: false
|
|
pod_name:
|
|
type: keyword
|
|
index: false
|
|
- endpoint: _ilm/policy/delete_all_indexes
|
|
body:
|
|
policy:
|
|
phases:
|
|
delete:
|
|
min_age: 14d
|
|
actions:
|
|
delete: {}
|
|
- endpoint: _slm/policy/non-security-snapshots
|
|
body:
|
|
schedule: "0 30 1 * * ?"
|
|
name: "<non-security-logs-snapshot-{now/d}>"
|
|
repository: logstash_snapshots
|
|
config:
|
|
indices: ["^(.*calico-|.*ceph-|.*jenkins-|.*journal-|.*kernel_syslog-|.*kubernetes-|.*libvirt-|.*logstash-|.*openvswitch-|.*utility_access-).*$"]
|
|
ignore_unavailable: true
|
|
include_global_state: false
|
|
wait_for_completion: true
|
|
max_wait: 64800
|
|
wait_interval: 30
|
|
ignore_empty_list: true
|
|
continue_if_exception: true
|
|
disable_action: false
|
|
retention:
|
|
expire_after: 29d
|
|
- endpoint: _slm/policy/security-snapshots
|
|
body:
|
|
schedule: "0 30 1 * * ?"
|
|
name: "<security-logs-snapshot-{now/d}>"
|
|
repository: logstash_snapshots
|
|
config:
|
|
indices: ["^(.*airship-|.*audit_tsee-|.*auth-|.*flows-|.*lma-|.*openstack-).*$"]
|
|
ignore_unavailable: true
|
|
include_global_state: false
|
|
wait_for_completion: true
|
|
max_wait: 18000
|
|
wait_interval: 30
|
|
ignore_empty_list: true
|
|
continue_if_exception: true
|
|
disable_action: false
|
|
retention:
|
|
expire_after: 179d
|
|
endpoints:
|
|
cluster_domain_suffix: cluster.local
|
|
local_image_registry:
|
|
name: docker-registry
|
|
namespace: docker-registry
|
|
hosts:
|
|
default: localhost
|
|
internal: docker-registry
|
|
node: localhost
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
registry:
|
|
node: 5000
|
|
elasticsearch:
|
|
name: elasticsearch
|
|
namespace: null
|
|
auth:
|
|
admin:
|
|
username: admin
|
|
password: changeme
|
|
logging:
|
|
username: remote
|
|
password: changeme
|
|
hosts:
|
|
data: elasticsearch-data
|
|
default: elasticsearch-logging
|
|
discovery: elasticsearch-discovery
|
|
gateway: elasticsaerch-gateway
|
|
public: elasticsearch
|
|
host_fqdn_override:
|
|
default: null
|
|
# NOTE(srwilkers): this chart supports TLS for fqdn over-ridden public
|
|
# endpoints using the following format:
|
|
# public:
|
|
# host: null
|
|
# tls:
|
|
# crt: null
|
|
# key: null
|
|
path:
|
|
default: null
|
|
scheme:
|
|
default: http
|
|
gateway: tcp
|
|
port:
|
|
client:
|
|
default: 9200
|
|
http:
|
|
default: 80
|
|
discovery:
|
|
default: 9300
|
|
prometheus_elasticsearch_exporter:
|
|
namespace: null
|
|
hosts:
|
|
default: elasticsearch-exporter
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: /metrics
|
|
scheme:
|
|
default: 'http'
|
|
port:
|
|
metrics:
|
|
default: 9108
|
|
ldap:
|
|
hosts:
|
|
default: ldap
|
|
auth:
|
|
admin:
|
|
bind: "cn=admin,dc=cluster,dc=local"
|
|
password: password
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: "/ou=People,dc=cluster,dc=local"
|
|
scheme:
|
|
default: ldap
|
|
port:
|
|
ldap:
|
|
default: 389
|
|
ceph_object_store:
|
|
name: radosgw
|
|
namespace: null
|
|
auth:
|
|
elasticsearch:
|
|
username: elasticsearch
|
|
access_key: "elastic_access_key"
|
|
secret_key: "elastic_secret_key"
|
|
admin:
|
|
username: s3_admin
|
|
access_key: "admin_access_key"
|
|
secret_key: "admin_secret_key"
|
|
hosts:
|
|
default: ceph-rgw
|
|
public: radosgw
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme:
|
|
default: http
|
|
port:
|
|
api:
|
|
default: 8088
|
|
public: 80
|
|
|
|
monitoring:
|
|
prometheus:
|
|
enabled: false
|
|
elasticsearch_exporter:
|
|
scrape: true
|
|
|
|
network:
|
|
elasticsearch:
|
|
ingress:
|
|
public: true
|
|
classes:
|
|
namespace: "nginx"
|
|
cluster: "nginx-cluster"
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
|
node_port:
|
|
enabled: false
|
|
port: 30920
|
|
remote_clustering:
|
|
enabled: false
|
|
node_port:
|
|
port: 30930
|
|
|
|
storage:
|
|
data:
|
|
enabled: true
|
|
pvc:
|
|
name: pvc-elastic
|
|
access_mode: ["ReadWriteOnce"]
|
|
requests:
|
|
storage: 5Gi
|
|
storage_class: general
|
|
master:
|
|
enabled: true
|
|
pvc:
|
|
name: pvc-elastic
|
|
access_mode: ["ReadWriteOnce"]
|
|
requests:
|
|
storage: 1Gi
|
|
storage_class: general
|
|
|
|
|
|
manifests:
|
|
configmap_bin_curator: true
|
|
configmap_bin_elasticsearch: true
|
|
configmap_etc_curator: true
|
|
configmap_etc_elasticsearch: true
|
|
configmap_etc_templates: true
|
|
cron_curator: true
|
|
cron_verify_repositories: true
|
|
deployment_client: true
|
|
ingress: true
|
|
job_elasticsearch_templates: true
|
|
job_image_repo_sync: true
|
|
job_snapshot_repository: true
|
|
job_s3_user: true
|
|
job_s3_bucket: true
|
|
helm_tests: true
|
|
secret_elasticsearch: true
|
|
secret_s3: true
|
|
monitoring:
|
|
prometheus:
|
|
configmap_bin_exporter: true
|
|
deployment_exporter: true
|
|
network_policy_exporter: false
|
|
service_exporter: true
|
|
network_policy: false
|
|
secret_ingress_tls: true
|
|
service_data: true
|
|
service_discovery: true
|
|
service_ingress: true
|
|
service_logging: true
|
|
statefulset_data: true
|
|
statefulset_master: true
|
|
...
|